CVE-2025-54366
Published: 26 July 2025
Summary
CVE-2025-54366 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Freescout Freescout. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
FreeScout is a lightweight open source help desk application built with PHP and the Laravel framework. Versions 1.8.185 and earlier contain a critical deserialization flaw in the /conversation/ajax endpoint. The vulnerability arises when the application processes the attachments_all and attachments POST parameters via the insecure Helper::decrypt function, which performs unsafe deserialization of attacker-controlled data without validation and is reachable by any authenticated user who knows the application's APP_KEY.
An attacker with these prerequisites can supply a crafted payload that creates arbitrary objects and manipulates their properties, resulting in remote code execution and full compromise of the web application. The issue is tracked as CWE-502 and carries a CVSS 4.0 score of 8.6 reflecting high impact on confidentiality, integrity, and availability when the required conditions are met.
The vulnerability is addressed in version 1.8.186. The project has published a security advisory and a corresponding commit that removes the unsafe deserialization path in the affected endpoint. The EPSS score remains flat at 0.0660 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22772
Vulnerability details
FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the…
more
APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in a public-facing web app directly enables RCE via exploitation of the vulnerable endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching of the deserialization flaw fixed in FreeScout version 1.8.186 to prevent RCE exploitation.
Requires validation of user-controlled attachments_all and attachments POST parameters at the /conversation/ajax endpoint to block malicious serialized objects.
Enables vulnerability scanning to identify systems affected by CVE-2025-54366 for subsequent remediation.